(struts) 01/01: Fixes excluding Plexus container in OWASP scan

Mon, 22 Jan 2024 00:28:27 -0800 

This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch fix/plexus-exclusion
in repository https://gitbox.apache.org/repos/asf/struts.git

commit cf74a4450c60c616a283ccadd96cae8410fa9e05
Author: Lukasz Lenart <lukaszlen...@apache.org>
AuthorDate: Mon Jan 22 09:28:14 2024 +0100

    Fixes excluding Plexus container in OWASP scan
---
 src/etc/project-suppression.xml | 21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/src/etc/project-suppression.xml b/src/etc/project-suppression.xml
index be1c572b1..7b2a1c5fb 100644
--- a/src/etc/project-suppression.xml
+++ b/src/etc/project-suppression.xml
@@ -132,21 +132,16 @@
         <notes><![CDATA[ file name: plexus-utils-1.2.jar]]></notes>
         <packageUrl 
regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl>
         <cpe>cpe:/a:plexus-utils_project:plexus-utils</cpe>
+        <cve>CVE-2022-4244</cve>
+        <cve>CVE-2022-4245</cve>
+        <cve>CVE-2017-1000487</cve>
     </suppress>
     <suppress>
-        <notes><![CDATA[file name: plexus-utils-1.2.jar]]></notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl>
-        <vulnerabilityName>CVE-2017-1000487</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: plexus-utils-1.2.jar]]></notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl>
-        <vulnerabilityName>Directory traversal in 
org.codehaus.plexus.util.Expand</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: plexus-utils-1.2.jar]]></notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl>
-        <vulnerabilityName>Possible XML Injection</vulnerabilityName>
+        <notes><![CDATA[ file name: 
plexus-container-default-1.0-alpha-10.jar]]></notes>
+        <packageUrl 
regex="true">^pkg:maven/org\.codehaus\.plexus\/plexus\-container\-default@.*$</packageUrl>
+        <cpe>cpe:/a:plexus-utils_project:plexus-utils</cpe>
+        <cve>CVE-2022-4244</cve>
+        <cve>CVE-2022-4245</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[file name: oval-1.90.jar]]></notes>

Reply via email to